
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="zh_Hans">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 1.5.4 release notes &#8212; Django 3.2.6.dev 文档</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="索引" href="../genindex.html" />
    <link rel="search" title="搜索" href="../search.html" />
    <link rel="next" title="Django 1.5.3 release notes" href="1.5.3.html" />
    <link rel="prev" title="Django 1.5.5 release notes" href="1.5.5.html" />



 
<script src="../templatebuiltins.js"></script>
<script>
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 3.2.6.dev 文档</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="1.5.5.html" title="Django 1.5.5 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.5.3.html" title="Django 1.5.3 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-1.5.4">
            
  <div class="section" id="s-django-1-5-4-release-notes">
<span id="django-1-5-4-release-notes"></span><h1>Django 1.5.4 release notes<a class="headerlink" href="#django-1-5-4-release-notes" title="永久链接至标题">¶</a></h1>
<p><em>September 14, 2013</em></p>
<p>This is Django 1.5.4, the fourth release in the Django 1.5 series. It addresses
two security issues and one bug.</p>
<div class="section" id="s-denial-of-service-via-password-hashers">
<span id="denial-of-service-via-password-hashers"></span><h2>Denial-of-service via password hashers<a class="headerlink" href="#denial-of-service-via-password-hashers" title="永久链接至标题">¶</a></h2>
<p>In previous versions of Django, no limit was imposed on the plaintext
length of a password. This allowed a denial-of-service attack through
submission of bogus but extremely large passwords, tying up server
resources performing the (expensive, and increasingly expensive with
the length of the password) calculation of the corresponding hash.</p>
<p>As of 1.5.4, Django's authentication framework imposes a 4096-byte
limit on passwords, and will fail authentication with any submitted
password of greater length.</p>
</div>
<div class="section" id="s-corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin">
<span id="corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin"></span><h2>Corrected usage of <a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><code class="xref py py-func docutils literal notranslate"><span class="pre">sensitive_post_parameters()</span></code></a> in <a class="reference internal" href="../topics/auth/index.html#module-django.contrib.auth" title="django.contrib.auth: Django's authentication framework."><code class="xref py py-mod docutils literal notranslate"><span class="pre">django.contrib.auth</span></code></a>’s admin<a class="headerlink" href="#corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin" title="永久链接至标题">¶</a></h2>
<p>The decoration of the <code class="docutils literal notranslate"><span class="pre">add_view</span></code> and <code class="docutils literal notranslate"><span class="pre">user_change_password</span></code> user admin
views with <a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><code class="xref py py-func docutils literal notranslate"><span class="pre">sensitive_post_parameters()</span></code></a>
did not include <a class="reference internal" href="../ref/utils.html#django.utils.decorators.method_decorator" title="django.utils.decorators.method_decorator"><code class="xref py py-func docutils literal notranslate"><span class="pre">method_decorator()</span></code></a> (required
since the views are methods) resulting in the decorator not being properly
applied. This usage has been fixed and
<a class="reference internal" href="../howto/error-reporting.html#django.views.decorators.debug.sensitive_post_parameters" title="django.views.decorators.debug.sensitive_post_parameters"><code class="xref py py-func docutils literal notranslate"><span class="pre">sensitive_post_parameters()</span></code></a> will now
throw an exception if it's improperly used.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="永久链接至标题">¶</a></h2>
<ul class="simple">
<li>Fixed a bug that prevented a <code class="docutils literal notranslate"><span class="pre">QuerySet</span></code> that uses
<a class="reference internal" href="../ref/models/querysets.html#django.db.models.query.QuerySet.prefetch_related" title="django.db.models.query.QuerySet.prefetch_related"><code class="xref py py-meth docutils literal notranslate"><span class="pre">prefetch_related()</span></code></a> from being pickled
and unpickled more than once (the second pickling attempt raised an
exception) (#21102).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 1.5.4 release notes</a><ul>
<li><a class="reference internal" href="#denial-of-service-via-password-hashers">Denial-of-service via password hashers</a></li>
<li><a class="reference internal" href="#corrected-usage-of-sensitive-post-parameters-in-django-contrib-auths-admin">Corrected usage of <code class="docutils literal notranslate"><span class="pre">sensitive_post_parameters()</span></code> in <code class="docutils literal notranslate"><span class="pre">django.contrib.auth</span></code>’s admin</a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h4>上一个主题</h4>
  <p class="topless"><a href="1.5.5.html"
                        title="上一章">Django 1.5.5 release notes</a></p>
  <h4>下一个主题</h4>
  <p class="topless"><a href="1.5.3.html"
                        title="下一章">Django 1.5.3 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>本页</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/1.5.4.txt"
            rel="nofollow">显示源代码</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>快速搜索</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="转向" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">7月 23, 2021</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="1.5.5.html" title="Django 1.5.5 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="1.5.3.html" title="Django 1.5.3 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>